If you've written your first iRule, you've most likely used the log command to check your iRule logic or reflect the status of the connections running through it.  Recent updates to the log command make it even more useful by providing direct support within iRules for selective remote syslogging.

Remote Log Server Support

In LTM 9.4.0, the log command was enhanced to provide the ability to send messages to a remote server. You can also optionally specify the remote port if you want messages to be sent to other than the default remote syslog port (514). If you specify a remote log server address, you must at least also specify the log facility.

This discretionary remote log server support is extremely useful if you want specific iRule activity logged to a remote location, but still want to retain your existing global syslog-ng configuration.

Rule Name Suppression

By default, every BIG-IP log message looks something like the sample below:

Apr  8 04:20:42 tmm tmm[1595]: 01220002:6: Rule : Log me, baby

The “-noname” option was added in LTM 9.4.2 to allow suppression of any "Rule : <rulename> <event>" string that may be prefixed  to the message by LTM.  Its intended use was for remote logging, but it works locally as well.  If you include the "-noname" option, you must at least also specify the log facility.


Here is the recommended basic log command syntax for local logging to the default log level (specifying the facility ensures all activities will be logged as unique events.  local0 is the default facility for LTM logging):

log local0. "Log me one time"

  The resulting output looks like this:

Apr  8 04:20:42 tmm tmm[1595]: Rule : Log me one time

This example uses the "-noname" option to log locally while suppressing the "iRule :" string prefixing the message text.

  log -noname local0. "I could not speak"

with this result:

Apr  8 04:20:42 tmm tmm[1595]: I could not speak

Use this syntax to specify a remote syslog server on the default port, facility & level:

  log local0. "Log me 2x, girl"

The message with the "Rule : " prefix will be sent to the remote server:

  Rule : Log me 2x, girl

This syntax will log to the syslog service at on port 5514, suppressing the "Rule : " prefix:

log -noname local0. "Log me all thru the week"

The message, this time without the "Rule : " prefix, will be sent to the remote server on the specified port:

  Log me all thru the week

You can still specify the log level in addition to the facility as in previous versions:

  log local0.warning "Log me 2x"

and the message format remains unchanged (may be filtered differently though):

Rule : Log me 2x

And finally you can combine all 3 to send messages to a remote server on an alternate port, specifying a new log facility and level, and suppressing the iRule name output:

  log -noname local3.warning "I'm goin' away"

This message will be sent to on local3.warning:

I'm goin' away

More on logging with iRules…

Full details of the “log” command can be found in the iRules wiki: https://devcentral.f5.com/wiki/default.aspx/iRules/log.html

Joe’s iRule Debugging article: iRules 101 #09 - Debugging

Need more extensive or global syslog configuration changes in LTM 9.4.2 & above? Check this: LTM 9.4.2+: Custom Syslog Configuration

Get the Flash Player to see this player.